KEYCLOAK-7237 : Redirect URI is adding port zero to the url
by Shawn Fu Sheng
Dear keycloak team,
I encountered redirect_uri error. Found same issue logged at below JIRA, just want to check any work around? Anyone can help? Thank you in advance.
KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237>
2018-06-30 11:34:13,996 WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=Victz, clientId=portal, userId=null, ipAddress=175.156.168.158, error=invalid_redirect_uri, redirect_uri=https://www.mydomain.com:0/home <https://www.mydomain.com:0/home>
I am using apache http reverse proxy running on centos7, wildly 10, keycloak 3.4.3. has also tried in below environment but same error.
Tried in
wildly 10, wildly 11, jboss 7.1
Keycloak 3.4.3 as well as keycloak 4.0
Also tried shutdown apache http and access directly to http://www.mydomain.com:8080/home <http://www.mydomain.com:8080/home> , but seems return_uri automatically been converted to https with port 0.
Please see below standalone.xml, tried removed below config in red but no luck.
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<location name="/drive" handler="drive"/>
<access-log pattern="%h %l %u %t "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" "%{i,COOKIE}" "%{o,SET-COOKIE}" %S "%I %T"" prefix="access."/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
<host name="mydomain1" alias="mydomain1.com,www.mydomain1.com" default-web-module=“mydomain-0.1.war">
<location name="/drive" handler="drive”/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
<host name="mydomain2" alias="mydomain2.com,www.mydomain2.com" default-web-module="mydomain2-0.1.war">
<location name="/drive" handler="drive"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
<host name="mydomain3" alias="mydomain3.com,www.mydomain3.com" default-web-module="mydomain3-0.1.war">
<location name="/drive" handler="drive"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
<file name="drive" path="/app/drive"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core"/>
<filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core"/>
</filters>
</subsystem>
Rds,
Shawn
6 years, 6 months
x509 - serial number as a HEX
by Karol Buler
Hi Everybody,
is there any possibility to get Serial Number field from certificate in
x509 authentication flow as a HEX value instead of Integer.
I've set the x509 Direct Grant authentication flow to take Serial Number
as a username, and I've expected that there will be a HEX value, which I
see in certificate, but I've got Integer representation of it in my User
Storage Federation's classes.
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
6 years, 6 months
How to use Keycloak in CakePHP Application
by Kanhaiya Ora
Hi Developers,
I am PHP Developer.
I am begineer with keycloak so can you help me for how to setup Keycloak
with *CakePHP* application.
I don't found any proper documentation for how to configure a Keycloak with
PHP Application. If i am using Keycloak REST API for configure a Keycloak
with PHP Application then we want to use a Keycloak Admin as a REST API
server.
If you have any proper documentation and video tutorial for configure a
Keycloak with PHP Application. so please send me link, so i can start work
on Keycloak with my application.
Thanks in Advance.
--
*Kanhaiya Ora*
*Sr. Software DeveloperXin Performance*
E:kanhaiya@xinperformance.com
T: +91 9755518055
W: xinperformance.com
6 years, 6 months
username to be used for importing users
by Leonid Rozenblyum
Hello!
We're using 2 keycloak instances.
SP -> Keycloak (broker) -> Keycloak (Identity provider)
How can we configure the broker to create user names equal to the original
username from keycloak (Idp)? Now the new users inside the broker receive a
G-.... (long meaningless string)
username during the first log-in.
So if user logs in through Idp with login: 'hello' we would like user
'hello' be created in the broker
Thank you for advice.
6 years, 6 months
Keycloak DB connection reset
by Pulkit Srivastava
Hi,
I am using keycloak with AWS MySQL RDS instance. The problem i am facing is
that after some time, the db connection is reset and i have to restart
keycloak server to make db connection again.
It wasn't a problem till the time i was using keycloak's inmemory H2 DB.
Please help.
Thanks,
Pulkit
6 years, 6 months
Error while building inside a container
by Rafael Weingärtner
Hello, Keycloak community,
I am trying to build Keycloak 4.0.0Final, but I keep getting the following
error:
Results :
> Tests in error:
>
> JavascriptAdapterTest.org.keycloak.testsuite.adapter.javascript.JavascriptAdapterTest
> ? Runtime
>
> DemoFilterServletAdapterTest.org.keycloak.testsuite.adapter.servlet.DemoFilterServletAdapterTest
> ? Runtime
>
> DemoServletsAdapterTest.org.keycloak.testsuite.adapter.servlet.DemoServletsAdapterTest
> ? Runtime
>
> Tests run: 1703, Failures: 0, Errors: 3, Skipped: 247
>
I am not understanding it. Has someone here seen something similar? I am
running the build inside a docker container, can this be the problem?
Can I be missing some dependency or something else?
I am using a Debian 8.11, Java 8_171 and maven 3.5.4. When I try to build
using a bare server, everything works.
--
Rafael Weingärtner
6 years, 6 months
Authorization Services - Admin Console
by gambol
Hiya
I'm guessing this isn't possible yet but just in case, is it possible to
provide fine-grain controls over the creation of local accounts. At the
moment we have a project whom we to gave the ability to control membership
of one or more groups via "User Policy" in authorization services. We would
like them to be able to "create" a user as well, but retain the above
limitation. At the moment this doesn't look like its possible as the only
way to get the "Add User" button is to add the "manage-users" role from
"realm-management" .. This unfortunately gives the access to do anything
they want with the users .. adding a group, delete etc etc
Are there any plan's to extend the scopes available under the Users
resource type? ..
Rohith
6 years, 6 months
Forbidden error on keycloak
by vandana thota
We are configuring the single sign on configuration for the application
whcih we deployed on wildfly instance by using keycloak , okta, application
on wildfly instance.
I could add or import the External IDP Metadata in keyckloak under the tab
add identity provider . Could see a tab ( Saml-sample app) on keycloak page
.
Case 1 When I click on tab ( Saml-sample app) on keycloak it's redirecting
to okta page and I gave the crednetials and after that its redirecting to
keycloak and showing this error
Forbidden
You don't have access to the requested resource.
Go to the home page »
PFA
What needs to done in order to acihieve the single sign on configuration
for the application which we deployed on wildfly instance ?
Do We have to configure anything on application side
Thanks.
6 years, 6 months
Re: [keycloak-user] Keycloak 4
by Pedro Igor Silva
Think we are missing this in docs :)
You need to enable "User-Managed Access" in Realm Settings (General tab).
On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
> OK, interesting: I didn't know about this console :)
> I can access it with my "test" user, but I don't see the "My Resources"
> menu entry (see screenshot).
> I created some resources owned by that user (using the API). But they
> don't show up.
> What did I missed?
>
> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Yeah, you can access those claims in a JS policy.
>>
>> Regarding the "account management console" take a look here:
>> https://www.keycloak.org/docs/latest/authorization_ser
>> vices/index.html#_service_authorization_api_aapi.
>>
>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
>> corentin.dupont(a)gmail.com> wrote:
>>
>>> Ok, I see the "claim_token" parameter in the request.
>>> I guess you can retrieve those claims in a javascript rule, from the
>>> evaluation context.
>>>
>>> By the way, I still cannot figure out where is the "account management
>>> console", where user can manager users access (as per the release notes)??
>>>
>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>> wrote:
>>>
>>>> The new form of obtaining entitlements relies solely on the token
>>>> endpoint just like when you are obtaining access tokens using other OAuth2
>>>> grant types. With that in mind the new format of the request should be a
>>>> HTTP POST + parameters. Check this documentation [1] for more details.
>>>>
>>>> Regarding pushing claims to your policies, there is a specific HTTP
>>>> parameter that you can use to pass a Base64 encoded JSON with the claims
>>>> you want to push.
>>>>
>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>>>> ces/index.html#_service_obtaining_permissions
>>>>
>>>>
>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>>> corentin.dupont(a)gmail.com> wrote:
>>>>
>>>>> Thanks Pedro, I went through the pull request.
>>>>> I'm not sure how to modify my entitlement requests?
>>>>> For example I have:
>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>> "permissions" : [
>>>>> {
>>>>> "resource_set_name" : "Sensors",
>>>>> "scopes" : [
>>>>> "sensors:update"
>>>>> ]
>>>>> }
>>>>> ]
>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup
>>>>> "
>>>>>
>>>>> This call has been moved to uma-2, right?
>>>>> Can I add pushed claims to this call? What I'm imagining is:
>>>>>
>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>>> Bearer $TOKEN" -d '{
>>>>> "permissions" : [
>>>>> {
>>>>> "resource_set_name" : "Sensors",
>>>>> "scopes" : [
>>>>> "sensors:update"
>>>>> ]
>>>>> }
>>>>> ],
>>>>> claims: ["owner": "cdupont"]
>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup
>>>>> "
>>>>>
>>>>> In this example, I would like to push the owner of the sensor
>>>>> ("cdupont"), which I take from our own database before calling the API.
>>>>>
>>>>> Sorry about the questions, maybe I should just wait that the
>>>>> documentation is merged :)
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> We have a few changes to docs that were not released because the PR
>>>>>> [1] was not merged on time. But you can check about pushed claims (if you
>>>>>> are using our adapters) here [2].
>>>>>>
>>>>>> Regards.
>>>>>> Pedro igor
>>>>>>
>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
>>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>>
>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>>> corentin.dupont(a)gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> I'm playing with the new version of Keycloak (
>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>>
>>>>>>> I have some questions:
>>>>>>> - where is the "account management console"?
>>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
6 years, 6 months
